GHSA-RQPP-RJJ8-7WV8: Privilege Escalation via Logic Flaw in OpenClaw WebSocket Authentication

The OpenClaw gateway exposes a WebSocket endpoint for backend connectivity and management operations. This endpoint accepts various authentication mechanisms, including device-linked identities, Control UI session tokens, and shared secrets (passwords or static tokens). Shared secrets are explicitly designed for low-privilege, device-less connections, operating under strict role-based access control (RBAC) boundaries.

A critical logic flaw exists in the gateway's WebSocket connection handler, cataloged as Improper Privilege Management (CWE-269) and Missing Authorization (CWE-862). The vulnerability resides in the scope negotiation phase of the WebSocket handshake, where the server fails to properly sanitize the authorization scopes requested by the connecting client.

By exploiting this oversight, a client authenticated with a standard shared token can self-declare elevated privileges, such as the operator.admin scope. The gateway erroneously binds these requested scopes to the established session, granting the attacker full administrative capabilities without requiring a trusted device identity or Control UI authorization.

Furthermore, when the gateway is configured in trusted-proxy mode, this vulnerability facilitates a secondary attack vector via Cross-Site WebSocket Hijacking (CSWSH). A malicious website can coerce an authenticated victim's browser into initiating the flawed handshake, extending the administrative compromise to unauthorized remote sessions.

The root cause is a flawed conditional check in the attachGatewayWsMessageHandler function, located within src/gateway/server/ws-connection/message-handler.ts. During the WebSocket initialization sequence, clients submit a connectParams object that contains an array of requested scopes.

The OpenClaw gateway employs a helper function named clearUnboundScopes() to strip sensitive or unauthorized scopes from device-less connections. This function is intended to enforce the principle of least privilege by ensuring that shared-token authentications cannot arbitrarily request administrative roles.

The logic error stems from the inclusion of the !sharedAuthOk boolean flag in the condition determining whether scopes should be cleared. When a client successfully authenticates using a valid shared token or password, the sharedAuthOk variable evaluates to true.

Consequently, the condition !sharedAuthOk evaluates to false, causing the application to bypass the scope-clearing routine entirely. The gateway then proceeds to establish the WebSocket session using the raw, unvalidated scopes array provided by the client in the connectParams payload.

An analysis of the vulnerable implementation in src/gateway/server/ws-connection/message-handler.ts reveals the exact mechanism of the bypass. The clearUnboundScopes function was defined as follows:

const clearUnboundScopes = () => {
  if (scopes.length > 0 && !controlUiAuthPolicy.allowBypass && !sharedAuthOk) {
    scopes = [];
    connectParams.scopes = scopes;
  }
};

In this vulnerable state, any successful shared-secret authentication (sharedAuthOk === true) prevents the array from being zeroed out. The attacker simply provides scopes: ["operator.admin"] in the initial payload, and the server retains it.

The patch introduced in commit 5e389d5e7c9233ec91026ab2fea299ebaf3249f6 implements a strict, deny-by-default architecture. The clearUnboundScopes function was refactored to unconditionally execute the clearing action when invoked:

// Refactored helper function
const clearUnboundScopes = () => {
  scopes = [];
  connectParams.scopes = scopes;
};

The authorization logic dictating when this function is called was subsequently moved up the call stack to a centralized policy check. The gateway now evaluates the connection context and explicitly clears scopes for any device-less connection that does not originate from a verified Control UI session:

// New centralized authorization check
if (!device && (!isControlUi || decision.kind !== "allow")) {
  clearUnboundScopes();
}

This structural change ensures that shared-token authentications can no longer bypass scope sanitization, closing the privilege escalation vector.

Exploitation requires the attacker to possess a valid shared secret, such as a gateway token or a password, and network connectivity to the OpenClaw WebSocket endpoint. The attacker does not require prior administrative privileges or a registered device identity.

The attacker initiates a standard WebSocket connection to the gateway. During the handshake phase, the attacker transmits a JSON-formatted connection request payload. This payload specifically sets the device parameter to null to indicate a device-less connection, provides the valid shared secret in the token field, and injects the target elevated scopes into the scopes array.

Because the vulnerable gateway processes the valid token and skips the scope-stripping routine, the session is instantiated with the injected scopes. The attacker can immediately begin issuing administrative Remote Procedure Call (RPC) commands over the WebSocket tunnel.

The following proof-of-concept snippet demonstrates the precise payload structure and the subsequent execution of an administrative command (set-heartbeats):

const res = await connectReq(ws, {
  token: "secret", // Valid shared token
  scopes: ["operator.admin"], // Injected elevated scope
  device: null,
});
 
// Session is now authenticated with 'operator.admin' privileges
const adminRes = await rpcReq(ws, "set-heartbeats", { enabled: false });

The vulnerability carries a CVSS v3.1 base score of 9.9 (Critical), reflecting a total compromise of the application's authorization framework. Successful exploitation grants an unprivileged user complete administrative control over the OpenClaw gateway operations.

With operator.admin scopes, an attacker can execute arbitrary gateway commands. Documented capabilities include overriding machine learning models, modifying system status metrics, and manipulating task execution workflows. This level of access severely compromises both the integrity and availability of the gateway and any downstream dependent services.

The presence of this flaw in environments using trusted-proxy mode exacerbates the risk footprint. In this configuration, the Cross-Site WebSocket Hijacking (CSWSH) vector allows remote adversaries to weaponize an authorized user's active session state without directly compromising their credentials.

By tricking a victim into visiting a malicious webpage, the attacker can leverage the victim's browser to initiate the malformed WebSocket handshake. The resulting connection seamlessly bypasses intended authorization boundaries, rendering perimeter defenses and credential rotation policies ineffective against the resulting privilege escalation.

The primary remediation for this vulnerability is upgrading the openclaw npm package to version 2026.3.12 or later. This release incorporates the logic fix that unconditionally clears unbound scopes for all device-less, non-Control UI connections, effectively neutralizing the privilege escalation path.

Organizations should verify the deployment of the patched version by inspecting the package.json and lockfiles within their operational environments. Restarting the OpenClaw gateway service is required to ensure the updated code is actively handling incoming WebSocket connections.

For environments where immediate patching is not feasible, administrators must restrict network access to the OpenClaw gateway. Implement strict IP allowlists, enforce VPN connectivity, or disable shared-token authentication mechanisms entirely in favor of device-linked identities.

Furthermore, security teams should analyze gateway access logs for historical evidence of exploitation. Indicators of compromise include WebSocket connect messages originating from device-less sessions (device: null) that anomalously request operator.admin or other privileged scopes. Auditing RPC execution logs for administrative commands invoked by shared-token identities is also recommended.